MFC r207553, r207555, r207651:

Implement the no_user_check option to pam_krb5. This option is available in the Linux implementation of pam_krb5 and allows to authorize a user not known to the local system. Ccache is not used as we don't have a secure uid/gid for the cache file. Usable for authentication of external kerberos users (e.g Active Directory) via PAM from applications like Cyrus saslauthd, PHP or perl. PR: bin/146186 Approved by: deplhij (mentor)
2010-05-17 14:27:40 +00:00 · 2010-05-17 14:27:40 +00:00 · 66a7924d0b
commit 66a7924d0b
parent 58bfd864fa
2 changed files with 35 additions and 24 deletions
--- a/lib/libpam/modules/pam_krb5/pam_krb5.8
+++ b/lib/libpam/modules/pam_krb5/pam_krb5.8
@ -1,7 +1,7 @@
 .\"
 .\" $Id: pam_krb5.5,v 1.5 2000/01/05 00:59:56 fcusack Exp $
 .\" $FreeBSD$
-.Dd January 15, 1999
+.Dd May 3, 2010
 .Dt PAM_KRB5 8
 .Os
 .Sh NAME
@ -108,6 +108,10 @@ and
 .Ql %p ,
 to designate the current process ID; can be used in
 .Ar name .
+.It Cm no_user_check
+Do not verify if a user exists on the local system. This option implies the
+.Cm no_ccache
+option because there is no secure local uid/gid for the cache file.
 .El
 .Ss Kerberos 5 Account Management Module
 The Kerberos 5 account management component
--- a/lib/libpam/modules/pam_krb5/pam_krb5.c
+++ b/lib/libpam/modules/pam_krb5/pam_krb5.c
@ -89,6 +89,7 @@ static void	compat_free_data_contents(krb5_context, krb5_data *);
 #define PAM_OPT_DEBUG		"debug"
 #define PAM_OPT_FORWARDABLE	"forwardable"
 #define PAM_OPT_NO_CCACHE	"no_ccache"
+#define PAM_OPT_NO_USER_CHECK	"no_user_check"
 #define PAM_OPT_REUSE_CCACHE	"reuse_ccache"

 /*
@ -194,34 +195,39 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,

 	PAM_LOG("Got password");

-	/* Verify the local user exists (AFTER getting the password) */
-	if (strchr(user, '@')) {
-		/* get a local account name for this principal */
-		krbret = krb5_aname_to_localname(pam_context, princ,
-		    sizeof(luser), luser);
-		if (krbret != 0) {
-			PAM_VERBOSE_ERROR("Kerberos 5 error");
-			PAM_LOG("Error krb5_aname_to_localname(): %s",
-			    krb5_get_err_text(pam_context, krbret));
+	if (openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
+		PAM_LOG("Skipping local user check");
+	else {
+
+		/* Verify the local user exists (AFTER getting the password) */
+		if (strchr(user, '@')) {
+			/* get a local account name for this principal */
+			krbret = krb5_aname_to_localname(pam_context, princ,
+			    sizeof(luser), luser);
+			if (krbret != 0) {
+				PAM_VERBOSE_ERROR("Kerberos 5 error");
+				PAM_LOG("Error krb5_aname_to_localname(): %s",
+				    krb5_get_err_text(pam_context, krbret));
+				retval = PAM_USER_UNKNOWN;
+				goto cleanup2;
+			}
+
+			retval = pam_set_item(pamh, PAM_USER, luser);
+			if (retval != PAM_SUCCESS)
+				goto cleanup2;
+
+			PAM_LOG("PAM_USER Redone");
+		}
+
+		pwd = getpwnam(user);
+		if (pwd == NULL) {
 			retval = PAM_USER_UNKNOWN;
 			goto cleanup2;
 		}

-		retval = pam_set_item(pamh, PAM_USER, luser);
-		if (retval != PAM_SUCCESS)
-			goto cleanup2;
-
-		PAM_LOG("PAM_USER Redone");
+		PAM_LOG("Done getpwnam()");
 	}

-	pwd = getpwnam(user);
-	if (pwd == NULL) {
-		retval = PAM_USER_UNKNOWN;
-		goto cleanup2;
-	}
-
-	PAM_LOG("Done getpwnam()");
-
 	/* Get a TGT */
 	memset(&creds, 0, sizeof(krb5_creds));
 	krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
@ -366,7 +372,8 @@ pam_sm_setcred(pam_handle_t *pamh, int flags,
 		return (PAM_SERVICE_ERR);

 	/* If a persistent cache isn't desired, stop now. */
-	if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE))
+	if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE) ||
+		openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
 		return (PAM_SUCCESS);

 	PAM_LOG("Establishing credentials");